In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. Reference: http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
Created apache-commons-beanutils tracking bugs for this issue: Affects: fedora-all [bug 1767498]
The page for the CVE entry [0] claims that this affects versions <= 1.9.3, so 1.9.4 does not have this issue - do I understand this correctly? If so, we can just merge the 1.9.4 update that's already in rawhide to stable fedora releases as well. [0]: https://nvd.nist.gov/vuln/detail/CVE-2019-10086
External References: https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt
RHSSO 7.3.4 ships commons-beanutils-1.9.3.redhat-1.jar seems to be affected as per the description. This flaw allows attacker to manipulate the class loader properties on server and I am not sure which all properties are exposed by RHSSO so creating the tracker and leaving it to dev team to take it further.
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss SOA Platform 5
In reply to comment #8: > This vulnerability is out of security support scope for the following > products: > * Red Hat Enterprise Application Platform 6 > * Red Hat Enterprise Application Platform 5 > * Red Hat JBoss Operations Network 3 > * Red Hat JBoss BPMS 6 > * Red Hat JBoss BRMS 6 > * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Both RHDM 7.5.1 and RHPAM 7.5.1 ships commons-beanutils-1.9.3.redhat-1.jar which seems to be affected so marking them as affected and creating trackers for them : ./standalone/deployments/decision-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar ./standalone/deployments/business-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:4317 https://access.redhat.com/errata/RHSA-2019:4317
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10086
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0057 https://access.redhat.com/errata/RHSA-2020:0057
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0194 https://access.redhat.com/errata/RHSA-2020:0194
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2020:1308 https://access.redhat.com/errata/RHSA-2020:1308
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 7 Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454
Mitigation: There is no currently known mitigation for this flaw.
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 on EAP async Via RHSA-2020:2619 https://access.redhat.com/errata/RHSA-2020:2619
This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2020:2740 https://access.redhat.com/errata/RHSA-2020:2740
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
This issue has been addressed in the following products: Red Hat Fuse 6.3 Via RHSA-2020:3587 https://access.redhat.com/errata/RHSA-2020:3587